Description

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.

INFO

Published Date :

2026-03-27T00:38:50.089Z

Last Modified :

2026-03-27T00:38:50.089Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33890 vulnerability.

Vendors Products
Franklioxygen
  • Mytube
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33890.

URL Resource
https://github.com/franklioxygen/MyTube/commit/d6c1275a7ff7ffd3d51b53c333237f4d572580ac cve-icon cve-icon
https://github.com/franklioxygen/MyTube/security/advisories/GHSA-378w-xh68-qrc8 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability